[Calico] Update to Calico v3.2

Change-Id: I2214fea8d8c1563b08c4015c9e91a29cf071af5a
This commit is contained in:
Chris Wedgwood 2018-10-01 23:30:18 +00:00
parent 46935734af
commit 26e1b9cde6
20 changed files with 424 additions and 638 deletions

View File

@ -13,7 +13,7 @@
# limitations under the License. # limitations under the License.
apiVersion: v1 apiVersion: v1
description: OpenStack-Helm BootStrap Calico description: OpenStack-Helm Calico
name: calico name: calico
version: 0.1.0 version: 0.1.0
home: https://github.com/projectcalico/calico home: https://github.com/projectcalico/calico

View File

@ -10,76 +10,61 @@ set -eux
# peers, and manipulate calico settings that we must perform # peers, and manipulate calico settings that we must perform
# post-deployment. # post-deployment.
CALICOCTL=/calicoctl CTL=/calicoctl
##################################################### # Generate configuration the way we want it to be, it doesn't matter
### process mesh and other cluster wide settings ### # if it's already set, in that case Calico will no nothing.
#####################################################
# get nodeToNodeMesh value # BGPConfiguration: nodeToNodeMeshEnabled & asNumber
MESH_VALUE=$(${CALICOCTL} config get nodeToNodeMesh) $CTL apply -f - <<EOF
apiVersion: projectcalico.org/v3
# update if necessary kind: BGPConfiguration
if [ "$MESH_VALUE" != "{{.Values.networking.settings.mesh}}" ];
then
$CALICOCTL config set nodeToNodeMesh {{.Values.networking.settings.mesh}}
fi;
# get asnumber value
AS_VALUE=$(${CALICOCTL} config get asNumber)
# update if necessary
if [ "$AS_VALUE" != "{{.Values.networking.bgp.asnumber}}" ];
then
$CALICOCTL config set asnumber {{.Values.networking.bgp.asnumber}}
fi;
#######################################################
### process ippools ###
#######################################################
# for posterity and logging
${CALICOCTL} get ipPool -o yaml
# ideally, we would support more then one pool
# and this would be a simple toYaml, but we want to
# avoid them having to spell out the podSubnet again
# or do any hackish replacement
#
# the downside here is that this embedded template
# will likely break when applied against calico v3
cat <<EOF | ${CALICOCTL} apply -f -
# process nat/ipip settings
apiVersion: v1
kind: ipPool
metadata: metadata:
cidr: {{.Values.conf.node.CALICO_IPV4POOL_CIDR}} name: default
spec: spec:
ipip: logSeverityScreen: Info
enabled: {{.Values.networking.settings.ippool.ipip.enabled}} nodeToNodeMeshEnabled: {{ .Values.networking.settings.mesh }}
mode: {{.Values.networking.settings.ippool.ipip.mode}} asNumber: {{ .Values.networking.bgp.asnumber }}
nat-outgoing: {{.Values.networking.settings.ippool.nat_outgoing}}
disabled: {{.Values.networking.settings.ippool.disabled}}
EOF EOF
####################################################### # FelixConfiguration: ipipEnabled
### bgp peers ### $CTL apply -f - <<EOF
####################################################### apiVersion: projectcalico.org/v3
kind: FelixConfiguration
metadata:
name: default
spec:
ipipEnabled: {{ .Values.networking.settings.ippool.ipip.enabled }}
logSeverityScreen: Info
EOF
# for posterity and logging # ipPool - https://docs.projectcalico.org/v3.2/reference/calicoctl/resources/ippool
${CALICOCTL} get bgpPeer -o yaml $CTL apply -f - <<EOF
apiVersion: projectcalico.org/v3
kind: IPPool
metadata:
name: default-ipv4-ippool
spec:
cidr: {{ .Values.conf.node.CALICO_IPV4POOL_CIDR }}
ipipMode: {{ .Values.networking.settings.ippool.ipip.mode }}
natOutgoing: {{ .Values.networking.settings.ippool.nat_outgoing }}
disabled: {{ .Values.networking.settings.ippool.disabled }}
EOF
# process IPv4 peers
# IPv4 peers
{{ if .Values.networking.bgp.ipv4.peers }} {{ if .Values.networking.bgp.ipv4.peers }}
cat << EOF | ${CALICOCTL} apply -f - $CTL apply -f - <<EOF
{{ .Values.networking.bgp.ipv4.peers | toYaml }} {{ .Values.networking.bgp.ipv4.peers | toYaml }}
EOF EOF
{{ end }} {{ end }}
# process IPv6 peers # IPv6 peers
{{ if .Values.networking.bgp.ipv6.peers }} {{ if .Values.networking.bgp.ipv6.peers }}
cat << EOF | ${CALICOCTL} apply -f - $CTL apply -f - <<EOF
{{ .Values.networking.bgp.ipv6.peers | toYaml }} {{ .Values.networking.bgp.ipv6.peers | toYaml }}
EOF EOF
{{ end }} {{ end }}
exit 0

View File

@ -2,48 +2,54 @@
set -e set -e
# instantiate calicoctl in /opt/bin/cni, including # instantiate calicoctl in /opt/bin/cni, including a wrapper around
# a wrapper around the bin that points to the correct # the bin that points to the correct etcd endpoint and etcd
# etcd endpoint and etcd certificate data # certificate data
cp /calicoctl /host/opt/cni/bin/calicoctl.bin cp -v /calicoctl /host/opt/cni/bin/calicoctl.bin
chmod +x /host/opt/cni/bin/calicoctl.bin [ -x /host/opt/cni/bin/calicoctl.bin ] || chmod +x /host/opt/cni/bin/calicoctl.bin
if [ ! -z "$ETCD_KEY" ]; if [ ! -z "$ETCD_KEY" ]; then
then DIR=$(dirname /host/$ETCD_KEY_FILE)
DIR=$(dirname /host/$ETCD_KEY_FILE) mkdir -p $DIR
mkdir -p $DIR cat <<EOF>/host/$ETCD_KEY_FILE
cat <<EOF>/host/$ETCD_KEY_FILE
$ETCD_KEY $ETCD_KEY
EOF EOF
chmod 600 /host/$ETCD_KEY_FILE chmod 600 /host/$ETCD_KEY_FILE
fi; fi;
if [ ! -z "$ETCD_CA_CERT" ]; if [ ! -z "$ETCD_CA_CERT" ]; then
then DIR=$(dirname /host/$ETCD_CA_CERT_FILE)
DIR=$(dirname /host/$ETCD_CA_CERT_FILE) mkdir -p $DIR
mkdir -p $DIR cat <<EOF>/host/$ETCD_CA_CERT_FILE
cat <<EOF>/host/$ETCD_CA_CERT_FILE
$ETCD_CA_CERT $ETCD_CA_CERT
EOF EOF
chmod 600 /host/$ETCD_CA_CERT_FILE chmod 600 /host/$ETCD_CA_CERT_FILE
fi; fi;
if [ ! -z "$ETCD_CERT" ]; if [ ! -z "$ETCD_CERT" ]; then
then DIR=$(dirname /host/$ETCD_CERT_FILE)
DIR=$(dirname /host/$ETCD_CERT_FILE) mkdir -p $DIR
mkdir -p $DIR cat <<EOF>/host/$ETCD_CERT_FILE
cat <<EOF>/host/$ETCD_CERT_FILE
$ETCD_CERT $ETCD_CERT
EOF EOF
chmod 600 /host/$ETCD_CERT_FILE chmod 600 /host/$ETCD_CERT_FILE
fi; fi;
# This looks a bit funny. Notice that if $ETCD_ENDPOINTS and friends
# are defined in this (calico node initContainer/startup) context;
# generate a shell script to set the values on the host where thse
# variables will *not* be set
cat <<EOF>/host/opt/cni/bin/calicoctl cat <<EOF>/host/opt/cni/bin/calicoctl
export ETCD_ENDPOINTS=$ETCD_ENDPOINTS #!/bin/bash
#
# do *NOT* modify this file; this is autogenerated by the calico-node
# deployment startup process
[ -e $ETCD_KEY_FILE ] && export ETCD_KEY_FILE=$ETCD_KEY_FILE export ETCD_ENDPOINTS="${ETCD_ENDPOINTS}"
[ -e $ETCD_CERT_FILE ] && export ETCD_CERT_FILE=$ETCD_CERT_FILE
[ -e $ETCD_CA_CERT_FILE ] && export ETCD_CA_CERT_FILE=$ETCD_CA_CERT_FILE [ -e "${ETCD_KEY_FILE}" ] && export ETCD_KEY_FILE="${ETCD_KEY_FILE}"
[ -e "${ETCD_CERT_FILE}" ] && export ETCD_CERT_FILE="${ETCD_CERT_FILE}"
[ -e "${ETCD_CA_CERT_FILE}" ] && export ETCD_CA_CERT_FILE="${ETCD_CA_CERT_FILE}"
exec /opt/cni/bin/calicoctl.bin \$* exec /opt/cni/bin/calicoctl.bin \$*
EOF EOF

View File

@ -1,89 +0,0 @@
# Generated by confd
include "bird_aggr.cfg";
include "custom_filters.cfg";
include "bird_ipam.cfg";
{{`{{$node_ip_key := printf "/host/%s/ip_addr_v4" (getenv "NODENAME")}}`}}{{`{{$node_ip := getv $node_ip_key}}`}}
# ensure we only listen to a specific ip and address
listen bgp address {{`{{$node_ip}}`}} port {{.Values.networking.bgp.ipv4.no_mesh.port.listen}};
router id {{`{{$node_ip}}`}};
{{`{{define "LOGGING"}}`}}
{{`{{$node_logging_key := printf "/host/%s/loglevel" (getenv "NODENAME")}}`}}{{`{{if exists $node_logging_key}}`}}{{`{{$logging := getv $node_logging_key}}`}}
{{`{{if eq $logging "debug"}}`}} debug all;{{`{{else if ne $logging "none"}}`}} debug { states };{{`{{end}}`}}
{{`{{else if exists "/global/loglevel"}}`}}{{`{{$logging := getv "/global/loglevel"}}`}}
{{`{{if eq $logging "debug"}}`}} debug all;{{`{{else if ne $logging "none"}}`}} debug { states };{{`{{end}}`}}
{{`{{else}}`}} debug { states };{{`{{end}}`}}
{{`{{end}}`}}
# Configure synchronization between routing tables and kernel.
protocol kernel {
learn; # Learn all alien routes from the kernel
persist; # Don't remove routes on bird shutdown
scan time 2; # Scan kernel routing table every 2 seconds
import all;
export filter calico_ipip; # Default is export none
graceful restart; # Turn on graceful restart to reduce potential flaps in
# routes when reloading BIRD configuration. With a full
# automatic mesh, there is no way to prevent BGP from
# flapping since multiple nodes update their BGP
# configuration at the same time, GR is not guaranteed to
# work correctly in this scenario.
}
# Watch interface up/down events.
protocol device {
{{`{{template "LOGGING"}}`}}
scan time 2; # Scan interfaces every 2 seconds
}
protocol direct {
{{`{{template "LOGGING"}}`}}
interface -"cali*", "*"; # Exclude cali* but include everything else.
}
{{`{{$node_as_key := printf "/host/%s/as_num" (getenv "NODENAME")}}`}}
# Template for all BGP clients
template bgp bgp_template {
{{`{{template "LOGGING"}}`}}
description "Connection to BGP peer";
local as {{`{{if exists $node_as_key}}`}}{{`{{getv $node_as_key}}`}}{{`{{else}}`}}{{`{{getv "/global/as_num"}}`}}{{`{{end}}`}};
multihop;
gateway recursive; # This should be the default, but just in case.
import all; # Import all routes, since we don't know what the upstream
# topology is and therefore have to trust the ToR/RR.
export filter calico_pools; # Only want to export routes for workloads.
next hop self; # Disable next hop processing and always advertise our
# local address as nexthop
source address {{`{{$node_ip}}`}}; # The local address we use for the TCP connection
add paths on;
graceful restart; # See comment in kernel section about graceful restart.
}
# ------------- Global peers -------------
{{`{{if ls "/global/peer_v4"}}`}}
{{`{{range gets "/global/peer_v4/*"}}`}}{{`{{$data := json .Value}}`}}
{{`{{$nums := split $data.ip "."}}`}}{{`{{$id := join $nums "_"}}`}}
# For peer {{`{{.Key}}`}}
protocol bgp Global_{{`{{$id}}`}} from bgp_template {
neighbor {{`{{$data.ip}}`}} as {{`{{$data.as_num}}`}};
neighbor port {{.Values.networking.bgp.ipv4.no_mesh.port.neighbor}};
}
{{`{{end}}`}}
{{`{{else}}`}}# No global peers configured.{{`{{end}}`}}
# ------------- Node-specific peers -------------
{{`{{$node_peers_key := printf "/host/%s/peer_v4" (getenv "NODENAME")}}`}}
{{`{{if ls $node_peers_key}}`}}
{{`{{range gets (printf "%s/*" $node_peers_key)}}`}}{{`{{$data := json .Value}}`}}
{{`{{$nums := split $data.ip "."}}`}}{{`{{$id := join $nums "_"}}`}}
# For peer {{`{{.Key}}`}}
protocol bgp Node_{{`{{$id}}`}} from bgp_template {
neighbor {{`{{$data.ip}}`}} as {{`{{$data.as_num}}`}};
neighbor port {{.Values.networking.bgp.ipv4.no_mesh.port.neighbor}};
}
{{`{{end}}`}}
{{`{{else}}`}}# No node-specific peers configured.{{`{{end}}`}}

View File

@ -1,20 +1,20 @@
# Generated by confd # Generated by confd
include "bird_aggr.cfg"; include "bird_aggr.cfg";
include "custom_filters.cfg";
include "bird_ipam.cfg"; include "bird_ipam.cfg";
{{`{{$node_ip_key := printf "/host/%s/ip_addr_v4" (getenv "NODENAME")}}`}}{{`{{$node_ip := getv $node_ip_key}}`}} {{`{{$node_ip_key := printf "/host/%s/ip_addr_v4" (getenv "NODENAME")}}{{$node_ip := getv $node_ip_key}}`}}
# ensure we only listen to a specific ip and address # ensure we only listen to a specific ip and address
listen bgp address {{`{{$node_ip}}`}} port {{.Values.networking.bgp.ipv4.mesh.port.listen}}; listen bgp address {{`{{$node_ip}}`}} port {{.Values.networking.bgp.ipv4.port.listen}};
router id {{`{{$node_ip}}`}}; {{`{{$router_id := getenv "CALICO_ROUTER_ID" ""}}`}}
{{`router id {{if ne "" ($router_id)}}{{$router_id}}{{else}}{{$node_ip}}{{end}};`}}
{{`{{define "LOGGING"}}`}} {{`{{define "LOGGING"}}`}}
{{`{{$node_logging_key := printf "/host/%s/loglevel" (getenv "NODENAME")}}`}}{{`{{if exists $node_logging_key}}`}}{{`{{$logging := getv $node_logging_key}}`}} {{`{{$node_logging_key := printf "/host/%s/loglevel" (getenv "NODENAME")}}{{if exists $node_logging_key}}{{$logging := getv $node_logging_key}}`}}
{{`{{if eq $logging "debug"}}`}} debug all;{{`{{else if ne $logging "none"}}`}} debug { states };{{`{{end}}`}} {{`{{if eq $logging "debug"}} debug all;{{else if ne $logging "none"}} debug { states };{{end}}`}}
{{`{{else if exists "/global/loglevel"}}`}}{{`{{$logging := getv "/global/loglevel"}}`}} {{`{{else if exists "/global/loglevel"}}{{$logging := getv "/global/loglevel"}}`}}
{{`{{if eq $logging "debug"}}`}} debug all;{{`{{else if ne $logging "none"}}`}} debug { states };{{`{{end}}`}} {{`{{if eq $logging "debug"}} debug all;{{else if ne $logging "none"}} debug { states };{{end}}`}}
{{`{{else}}`}} debug { states };{{`{{end}}`}} {{`{{else}} debug { states };{{end}}`}}
{{`{{end}}`}} {{`{{end}}`}}
# Configure synchronization between routing tables and kernel. # Configure synchronization between routing tables and kernel.
@ -34,21 +34,22 @@ protocol kernel {
# Watch interface up/down events. # Watch interface up/down events.
protocol device { protocol device {
{{`{{template "LOGGING"}}`}} {{` {{template "LOGGING"}}`}}
scan time 2; # Scan interfaces every 2 seconds scan time 2; # Scan interfaces every 2 seconds
} }
protocol direct { protocol direct {
{{`{{template "LOGGING"}}`}} {{` {{template "LOGGING"}}`}}
interface -"cali*", "*"; # Exclude cali* but include everything else. interface -"cali*", "*"; # Exclude cali* but include everything else.
} }
{{`{{$node_as_key := printf "/host/%s/as_num" (getenv "NODENAME")}}`}} {{`{{if eq "" ($node_ip)}}# IPv4 disabled on this node.`}}
{{`{{else}}{{$node_as_key := printf "/host/%s/as_num" (getenv "NODENAME")}}`}}
# Template for all BGP clients # Template for all BGP clients
template bgp bgp_template { template bgp bgp_template {
{{`{{template "LOGGING"}}`}} {{` {{template "LOGGING"}}`}}
description "Connection to BGP peer"; description "Connection to BGP peer";
local as {{`{{if exists $node_as_key}}`}}{{`{{getv $node_as_key}}`}}{{`{{else}}`}}{{`{{getv "/global/as_num"}}`}}{{`{{end}}`}}; {{` local as {{if exists $node_as_key}}{{getv $node_as_key}}{{else}}{{getv "/global/as_num"}}{{end}};`}}
multihop; multihop;
gateway recursive; # This should be the default, but just in case. gateway recursive; # This should be the default, but just in case.
import all; # Import all routes, since we don't know what the upstream import all; # Import all routes, since we don't know what the upstream
@ -56,7 +57,7 @@ template bgp bgp_template {
export filter calico_pools; # Only want to export routes for workloads. export filter calico_pools; # Only want to export routes for workloads.
next hop self; # Disable next hop processing and always advertise our next hop self; # Disable next hop processing and always advertise our
# local address as nexthop # local address as nexthop
source address {{`{{$node_ip}}`}}; # The local address we use for the TCP connection {{` source address {{$node_ip}}; # The local address we use for the TCP connection`}}
add paths on; add paths on;
graceful restart; # See comment in kernel section about graceful restart. graceful restart; # See comment in kernel section about graceful restart.
} }
@ -65,14 +66,14 @@ template bgp bgp_template {
{{`{{if (json (getv "/global/node_mesh")).enabled}}`}} {{`{{if (json (getv "/global/node_mesh")).enabled}}`}}
{{`{{range $host := lsdir "/host"}}`}} {{`{{range $host := lsdir "/host"}}`}}
{{`{{$onode_as_key := printf "/host/%s/as_num" .}}`}} {{`{{$onode_as_key := printf "/host/%s/as_num" .}}`}}
{{`{{$onode_ip_key := printf "/host/%s/ip_addr_v4" .}}`}}{{`{{if exists $onode_ip_key}}`}}{{`{{$onode_ip := getv $onode_ip_key}}`}} {{`{{$onode_ip_key := printf "/host/%s/ip_addr_v4" .}}{{if exists $onode_ip_key}}{{$onode_ip := getv $onode_ip_key}}`}}
{{`{{$nums := split $onode_ip "."}}`}}{{`{{$id := join $nums "_"}}`}} {{`{{$nums := split $onode_ip "."}}{{$id := join $nums "_"}}`}}
# For peer {{`{{$onode_ip_key}}`}} {{`# For peer {{$onode_ip_key}}`}}
{{`{{if eq $onode_ip ($node_ip) }}`}}# Skipping ourselves ({{`{{$node_ip}}`}}) {{`{{if eq $onode_ip ($node_ip) }}# Skipping ourselves ({{$node_ip}})`}}
{{`{{else if ne "" $onode_ip}}`}}protocol bgp Mesh_{{`{{$id}}`}} from bgp_template { {{`{{else if ne "" $onode_ip}}protocol bgp Mesh_{{$id}} from bgp_template {`}}
neighbor {{`{{$onode_ip}}`}} as {{`{{if exists $onode_as_key}}`}}{{`{{getv $onode_as_key}}`}}{{`{{else}}`}}{{`{{getv "/global/as_num"}}`}}{{`{{end}}`}}; {{` neighbor {{$onode_ip}} as {{if exists $onode_as_key}}{{getv $onode_as_key}}{{else}}{{getv "/global/as_num"}}{{end}};`}}
neighbor port {{.Values.networking.bgp.ipv4.mesh.port.neighbor}}; neighbor port {{.Values.networking.bgp.ipv4.port.neighbor}};
}{{`{{end}}`}}{{`{{end}}`}}{{`{{end}}`}} {{`}{{end}}{{end}}{{end}}`}}
{{`{{else}}`}} {{`{{else}}`}}
# Node-to-node mesh disabled # Node-to-node mesh disabled
{{`{{end}}`}} {{`{{end}}`}}
@ -80,26 +81,27 @@ template bgp bgp_template {
# ------------- Global peers ------------- # ------------- Global peers -------------
{{`{{if ls "/global/peer_v4"}}`}} {{`{{if ls "/global/peer_v4"}}`}}
{{`{{range gets "/global/peer_v4/*"}}`}}{{`{{$data := json .Value}}`}} {{`{{range gets "/global/peer_v4/*"}}{{$data := json .Value}}`}}
{{`{{$nums := split $data.ip "."}}`}}{{`{{$id := join $nums "_"}}`}} {{`{{$nums := split $data.ip "."}}{{$id := join $nums "_"}}`}}
# For peer {{`{{.Key}}`}} {{`# For peer {{.Key}}`}}
protocol bgp Global_{{`{{$id}}`}} from bgp_template { {{`protocol bgp Global_{{$id}} from bgp_template {`}}
neighbor {{`{{$data.ip}}`}} as {{`{{$data.as_num}}`}}; {{` neighbor {{$data.ip}} as {{$data.as_num}};`}}
neighbor port {{.Values.networking.bgp.ipv4.mesh.port.neighbor}}; neighbor port {{.Values.networking.bgp.ipv4.port.neighbor}};
} }
{{`{{end}}`}} {{`{{end}}`}}
{{`{{else}}`}}# No global peers configured.{{`{{end}}`}} {{`{{else}}# No global peers configured.{{end}}`}}
# ------------- Node-specific peers ------------- # ------------- Node-specific peers -------------
{{`{{$node_peers_key := printf "/host/%s/peer_v4" (getenv "NODENAME")}}`}} {{`{{$node_peers_key := printf "/host/%s/peer_v4" (getenv "NODENAME")}}`}}
{{`{{if ls $node_peers_key}}`}} {{`{{if ls $node_peers_key}}`}}
{{`{{range gets (printf "%s/*" $node_peers_key)}}`}}{{`{{$data := json .Value}}`}} {{`{{range gets (printf "%s/*" $node_peers_key)}}{{$data := json .Value}}`}}
{{`{{$nums := split $data.ip "."}}`}}{{`{{$id := join $nums "_"}}`}} {{`{{$nums := split $data.ip "."}}{{$id := join $nums "_"}}`}}
# For peer {{`{{.Key}}`}} {{`# For peer {{.Key}}`}}
protocol bgp Node_{{`{{$id}}`}} from bgp_template { {{`protocol bgp Node_{{$id}} from bgp_template {`}}
neighbor {{`{{$data.ip}}`}} as {{`{{$data.as_num}}`}}; {{` neighbor {{$data.ip}} as {{$data.as_num}};`}}
neighbor port {{.Values.networking.bgp.ipv4.mesh.port.neighbor}}; neighbor port {{.Values.networking.bgp.ipv4.port.neighbor}};
} }
{{`{{end}}`}} {{`{{end}}`}}
{{`{{else}}`}}# No node-specific peers configured.{{`{{end}}`}} {{`{{else}}# No node-specific peers configured.{{end}}`}}
{{`{{end}}{{/* End of IPv4 enable check */}}`}}

View File

@ -1,110 +0,0 @@
# Generated by confd
include "bird6_aggr.cfg";
include "custom_filters6.cfg";
include "bird6_ipam.cfg";
{{`{{$node_ip_key := printf "/host/%s/ip_addr_v4" (getenv "NODENAME")}}`}}{{`{{$node_ip := getv $node_ip_key}}`}}
{{`{{$node_ip6_key := printf "/host/%s/ip_addr_v6" (getenv "NODENAME")}}`}}{{`{{$node_ip6 := getv $node_ip6_key}}`}}
router id {{`{{$node_ip}}`}}; # Use IPv4 address since router id is 4 octets, even in MP-BGP
{{`{{define "LOGGING"}}`}}
{{`{{$node_logging_key := printf "/host/%s/loglevel" (getenv "NODENAME")}}`}}{{`{{if exists $node_logging_key}}`}}{{`{{$logging := getv $node_logging_key}}`}}
{{`{{if eq $logging "debug"}}`}} debug all;{{`{{else if ne $logging "none"}}`}} debug { states };{{`{{end}}`}}
{{`{{else if exists "/global/loglevel"}}`}}{{`{{$logging := getv "/global/loglevel"}}`}}
{{`{{if eq $logging "debug"}}`}} debug all;{{`{{else if ne $logging "none"}}`}} debug { states };{{`{{end}}`}}
{{`{{else}}`}} debug { states };{{`{{end}}`}}
{{`{{end}}`}}
# Configure synchronization between routing tables and kernel.
protocol kernel {
learn; # Learn all alien routes from the kernel
persist; # Don't remove routes on bird shutdown
scan time 2; # Scan kernel routing table every 2 seconds
import all;
export all; # Default is export none
graceful restart; # Turn on graceful restart to reduce potential flaps in
# routes when reloading BIRD configuration. With a full
# automatic mesh, there is no way to prevent BGP from
# flapping since multiple nodes update their BGP
# configuration at the same time, GR is not guaranteed to
# work correctly in this scenario.
}
# Watch interface up/down events.
protocol device {
{{`{{template "LOGGING"}}`}}
scan time 2; # Scan interfaces every 2 seconds
}
protocol direct {
{{`{{template "LOGGING"}}`}}
interface -"cali*", "*"; # Exclude cali* but include everything else.
}
{{`{{if eq "" ($node_ip6)}}`}}# IPv6 disabled on this node.
{{`{{else}}`}}{{`{{$node_as_key := printf "/host/%s/as_num" (getenv "NODENAME")}}`}}
# ensure we only listen to a specific ip and address
listen bgp address {{`{{$node_ip6}}`}} port {{.Values.networking.bgp.ipv6.mesh.port.listen}};
# Template for all BGP clients
template bgp bgp_template {
{{`{{template "LOGGING"}}`}}
description "Connection to BGP peer";
local as {{`{{if exists $node_as_key}}`}}{{`{{getv $node_as_key}}`}}{{`{{else}}`}}{{`{{getv "/global/as_num"}}`}}{{`{{end}}`}};
multihop;
gateway recursive; # This should be the default, but just in case.
import all; # Import all routes, since we don't know what the upstream
# topology is and therefore have to trust the ToR/RR.
export filter calico_pools; # Only want to export routes for workloads.
next hop self; # Disable next hop processing and always advertise our
# local address as nexthop
source address {{`{{$node_ip6}}`}}; # The local address we use for the TCP connection
add paths on;
graceful restart; # See comment in kernel section about graceful restart.
}
# ------------- Node-to-node mesh -------------
{{`{{if (json (getv "/global/node_mesh")).enabled}}`}}
{{`{{range $host := lsdir "/host"}}`}}
{{`{{$onode_as_key := printf "/host/%s/as_num" .}}`}}
{{`{{$onode_ip_key := printf "/host/%s/ip_addr_v6" .}}`}}{{`{{if exists $onode_ip_key}}`}}{{`{{$onode_ip := getv $onode_ip_key}}`}}
{{`{{$nums := split $onode_ip ":"}}`}}{{`{{$id := join $nums "_"}}`}}
# For peer {{`{{$onode_ip_key}}`}}
{{`{{if eq $onode_ip ($node_ip6) }}`}}# Skipping ourselves ({{`{{$node_ip6}}`}})
{{`{{else if eq "" $onode_ip}}`}}# No IPv6 address configured for this node
{{`{{else}}`}}protocol bgp Mesh_{{`{{$id}}`}} from bgp_template {
neighbor {{`{{$onode_ip}}`}} as {{`{{if exists $onode_as_key}}`}}{{`{{getv $onode_as_key}}`}}{{`{{else}}`}}{{`{{getv "/global/as_num"}}`}}{{`{{end}}`}};
neighbor port {{.Values.networking.bgp.ipv6.mesh.port.neighbor}};
}{{`{{end}}`}}{{`{{end}}`}}{{`{{end}}`}}
{{`{{else}}`}}
# Node-to-node mesh disabled
{{`{{end}}`}}
# ------------- Global peers -------------
{{`{{if ls "/global/peer_v6"}}`}}
{{`{{range gets "/global/peer_v6/*"}}`}}{{`{{$data := json .Value}}`}}
{{`{{$nums := split $data.ip ":"}}`}}{{`{{$id := join $nums "_"}}`}}
# For peer {{`{{.Key}}`}}
protocol bgp Global_{{`{{$id}}`}} from bgp_template {
neighbor {{`{{$data.ip}}`}} as {{`{{$data.as_num}}`}};
neighbor port {{.Values.networking.bgp.ipv6.mesh.port.neighbor}};
}
{{`{{end}}`}}
{{`{{else}}`}}# No global peers configured.{{`{{end}}`}}
# ------------- Node-specific peers -------------
{{`{{$node_peers_key := printf "/host/%s/peer_v6" (getenv "NODENAME")}}`}}
{{`{{if ls $node_peers_key}}`}}
{{`{{range gets (printf "%s/*" $node_peers_key)}}`}}{{`{{$data := json .Value}}`}}
{{`{{$nums := split $data.ip ":"}}`}}{{`{{$id := join $nums "_"}}`}}
# For peer {{`{{.Key}}`}}
protocol bgp Node_{{`{{$id}}`}} from bgp_template {
neighbor {{`{{$data.ip}}`}} as {{`{{$data.as_num}}`}};
neighbor port {{.Values.networking.bgp.ipv6.mesh.port.neighbor}};
}
{{`{{end}}`}}
{{`{{else}}`}}# No node-specific peers configured.{{`{{end}}`}}
{{`{{end}}`}}

View File

@ -1,93 +0,0 @@
# Generated by confd
include "bird6_aggr.cfg";
include "custom_filters6.cfg";
include "bird6_ipam.cfg";
{{`{{$node_ip_key := printf "/host/%s/ip_addr_v4" (getenv "NODENAME")}}`}}{{`{{$node_ip := getv $node_ip_key}}`}}
{{`{{$node_ip6_key := printf "/host/%s/ip_addr_v6" (getenv "NODENAME")}}`}}{{`{{$node_ip6 := getv $node_ip6_key}}`}}
router id {{`{{$node_ip}}`}}; # Use IPv4 address since router id is 4 octets, even in MP-BGP
{{`{{define "LOGGING"}}`}}
{{`{{$node_logging_key := printf "/host/%s/loglevel" (getenv "NODENAME")}}`}}{{`{{if exists $node_logging_key}}`}}{{`{{$logging := getv $node_logging_key}}`}}
{{`{{if eq $logging "debug"}}`}} debug all;{{`{{else if ne $logging "none"}}`}} debug { states };{{`{{end}}`}}
{{`{{else if exists "/global/loglevel"}}`}}{{`{{$logging := getv "/global/loglevel"}}`}}
{{`{{if eq $logging "debug"}}`}} debug all;{{`{{else if ne $logging "none"}}`}} debug { states };{{`{{end}}`}}
{{`{{else}}`}} debug { states };{{`{{end}}`}}
{{`{{end}}`}}
# Configure synchronization between routing tables and kernel.
protocol kernel {
learn; # Learn all alien routes from the kernel
persist; # Don't remove routes on bird shutdown
scan time 2; # Scan kernel routing table every 2 seconds
import all;
export all; # Default is export none
graceful restart; # Turn on graceful restart to reduce potential flaps in
# routes when reloading BIRD configuration. With a full
# automatic mesh, there is no way to prevent BGP from
# flapping since multiple nodes update their BGP
# configuration at the same time, GR is not guaranteed to
# work correctly in this scenario.
}
# Watch interface up/down events.
protocol device {
{{`{{template "LOGGING"}}`}}
scan time 2; # Scan interfaces every 2 seconds
}
protocol direct {
{{`{{template "LOGGING"}}`}}
interface -"cali*", "*"; # Exclude cali* but include everything else.
}
{{`{{if eq "" ($node_ip6)}}`}}# IPv6 disabled on this node.
{{`{{else}}`}}{{`{{$node_as_key := printf "/host/%s/as_num" (getenv "NODENAME")}}`}}
# ensure we only listen to a specific ip and address
listen bgp address {{`{{$node_ip6}}`}} port {{.Values.networking.bgp.ipv6.no_mesh.port.listen}};
# Template for all BGP clients
template bgp bgp_template {
{{`{{template "LOGGING"}}`}}
description "Connection to BGP peer";
local as {{`{{if exists $node_as_key}}`}}{{`{{getv $node_as_key}}`}}{{`{{else}}`}}{{`{{getv "/global/as_num"}}`}}{{`{{end}}`}};
multihop;
gateway recursive; # This should be the default, but just in case.
import all; # Import all routes, since we don't know what the upstream
# topology is and therefore have to trust the ToR/RR.
export filter calico_pools; # Only want to export routes for workloads.
next hop self; # Disable next hop processing and always advertise our
# local address as nexthop
source address {{`{{$node_ip6}}`}}; # The local address we use for the TCP connection
add paths on;
graceful restart; # See comment in kernel section about graceful restart.
}
# ------------- Global peers -------------
{{`{{if ls "/global/peer_v6"}}`}}
{{`{{range gets "/global/peer_v6/*"}}`}}{{`{{$data := json .Value}}`}}
{{`{{$nums := split $data.ip ":"}}`}}{{`{{$id := join $nums "_"}}`}}
# For peer {{`{{.Key}}`}}
protocol bgp Global_{{`{{$id}}`}} from bgp_template {
neighbor {{`{{$data.ip}}`}} as {{`{{$data.as_num}}`}};
neighbor port {{.Values.networking.bgp.ipv6.no_mesh.port.neighbor}};
}
{{`{{end}}`}}
{{`{{else}}`}}# No global peers configured.{{`{{end}}`}}
# ------------- Node-specific peers -------------
{{`{{$node_peers_key := printf "/host/%s/peer_v6" (getenv "NODENAME")}}`}}
{{`{{if ls $node_peers_key}}`}}
{{`{{range gets (printf "%s/*" $node_peers_key)}}`}}{{`{{$data := json .Value}}`}}
{{`{{$nums := split $data.ip ":"}}`}}{{`{{$id := join $nums "_"}}`}}
# For peer {{`{{.Key}}`}}
protocol bgp Node_{{`{{$id}}`}} from bgp_template {
neighbor {{`{{$data.ip}}`}} as {{`{{$data.as_num}}`}};
neighbor port {{.Values.networking.bgp.ipv6.no_mesh.port.neighbor}};
}
{{`{{end}}`}}
{{`{{else}}`}}# No node-specific peers configured.{{`{{end}}`}}
{{`{{end}}`}}

View File

@ -0,0 +1,110 @@
# Generated by confd
include "bird6_aggr.cfg";
include "bird6_ipam.cfg";
{{`{{$node_ip_key := printf "/host/%s/ip_addr_v4" (getenv "NODENAME")}}{{$node_ip := getv $node_ip_key}}`}}
{{`{{$node_ip6_key := printf "/host/%s/ip_addr_v6" (getenv "NODENAME")}}{{$node_ip6 := getv $node_ip6_key}}`}}
{{`{{$router_id := getenv "CALICO_ROUTER_ID" ""}}`}}
{{`router id {{if ne "" ($router_id)}}{{$router_id}}{{else}}{{$node_ip}}{{end}}; # Use IPv4 address since router id is 4 octets, even in MP-BGP`}}
{{`{{define "LOGGING"}}`}}
{{`{{$node_logging_key := printf "/host/%s/loglevel" (getenv "NODENAME")}}{{if exists $node_logging_key}}{{$logging := getv $node_logging_key}}`}}
{{`{{if eq $logging "debug"}} debug all;{{else if ne $logging "none"}} debug { states };{{end}}`}}
{{`{{else if exists "/global/loglevel"}}{{$logging := getv "/global/loglevel"}}`}}
{{`{{if eq $logging "debug"}} debug all;{{else if ne $logging "none"}} debug { states };{{end}}`}}
{{`{{else}} debug { states };{{end}}`}}
{{`{{end}}`}}
# Configure synchronization between routing tables and kernel.
protocol kernel {
learn; # Learn all alien routes from the kernel
persist; # Don't remove routes on bird shutdown
scan time 2; # Scan kernel routing table every 2 seconds
import all;
export all; # Default is export none
graceful restart; # Turn on graceful restart to reduce potential flaps in
# routes when reloading BIRD configuration. With a full
# automatic mesh, there is no way to prevent BGP from
# flapping since multiple nodes update their BGP
# configuration at the same time, GR is not guaranteed to
# work correctly in this scenario.
}
# Watch interface up/down events.
protocol device {
{{` {{template "LOGGING"}}`}}
scan time 2; # Scan interfaces every 2 seconds
}
protocol direct {
{{` {{template "LOGGING"}}`}}
interface -"cali*", "*"; # Exclude cali* but include everything else.
}
{{`{{if eq "" ($node_ip6)}}# IPv6 disabled on this node.`}}
{{`{{else}}{{$node_as_key := printf "/host/%s/as_num" (getenv "NODENAME")}}`}}
# ensure we only listen to a specific ip and address
listen bgp address {{`{{$node_ip6}}`}} port {{.Values.networking.bgp.ipv6.port.listen}};
# Template for all BGP clients
template bgp bgp_template {
{{` {{template "LOGGING"}}`}}
description "Connection to BGP peer";
{{` local as {{if exists $node_as_key}}{{getv $node_as_key}}{{else}}{{getv "/global/as_num"}}{{end}};`}}
multihop;
gateway recursive; # This should be the default, but just in case.
import all; # Import all routes, since we don't know what the upstream
# topology is and therefore have to trust the ToR/RR.
export filter calico_pools; # Only want to export routes for workloads.
next hop self; # Disable next hop processing and always advertise our
# local address as nexthop
{{` source address {{$node_ip6}}; # The local address we use for the TCP connection`}}
add paths on;
graceful restart; # See comment in kernel section about graceful restart.
}
# ------------- Node-to-node mesh -------------
{{`{{if (json (getv "/global/node_mesh")).enabled}}`}}
{{`{{range $host := lsdir "/host"}}`}}
{{`{{$onode_as_key := printf "/host/%s/as_num" .}}`}}
{{`{{$onode_ip_key := printf "/host/%s/ip_addr_v6" .}}{{if exists $onode_ip_key}}{{$onode_ip := getv $onode_ip_key}}`}}
{{`{{$nums := split $onode_ip ":"}}{{$id := join $nums "_"}}`}}
{{`# For peer {{$onode_ip_key}}`}}
{{`{{if eq $onode_ip ($node_ip6) }}# Skipping ourselves ({{$node_ip6}})`}}
{{`{{else if eq "" $onode_ip}}# No IPv6 address configured for this node`}}
{{`{{else}}protocol bgp Mesh_{{$id}} from bgp_template {`}}
{{` neighbor {{$onode_ip}} as {{if exists $onode_as_key}}{{getv $onode_as_key}}{{else}}{{getv "/global/as_num"}}{{end}};`}}
neighbor port {{.Values.networking.bgp.ipv6.port.neighbor}};
{{`}{{end}}{{end}}{{end}}`}}
{{`{{else}}`}}
# Node-to-node mesh disabled
{{`{{end}}`}}
# ------------- Global peers -------------
{{`{{if ls "/global/peer_v6"}}`}}
{{`{{range gets "/global/peer_v6/*"}}{{$data := json .Value}}`}}
{{`{{$nums := split $data.ip ":"}}{{$id := join $nums "_"}}`}}
{{`# For peer {{.Key}}`}}
{{`protocol bgp Global_{{$id}} from bgp_template {`}}
{{` neighbor {{$data.ip}} as {{$data.as_num}};`}}
neighbor port {{.Values.networking.bgp.ipv6.port.neighbor}};
}
{{`{{end}}`}}
{{`{{else}}# No global peers configured.{{end}}`}}
# ------------- Node-specific peers -------------
{{`{{$node_peers_key := printf "/host/%s/peer_v6" (getenv "NODENAME")}}`}}
{{`{{if ls $node_peers_key}}`}}
{{`{{range gets (printf "%s/*" $node_peers_key)}}{{$data := json .Value}}`}}
{{`{{$nums := split $data.ip ":"}}{{$id := join $nums "_"}}`}}
{{`# For peer {{.Key}}`}}
{{`protocol bgp Node_{{$id}} from bgp_template {`}}
{{` neighbor {{$data.ip}} as {{$data.as_num}};`}}
neighbor port {{.Values.networking.bgp.ipv6.port.neighbor}};
}
{{`{{end}}`}}
{{`{{else}}# No node-specific peers configured.{{end}}`}}
{{`{{end}}`}}

View File

@ -1,9 +1,18 @@
# Generated by confd # Generated by confd
function osh_filters ()
{
# support any addresses matching our secondary announcements
{{- range .Values.networking.bgp.ipv6.additional_cidrs }}
if ( net ~ {{ . }} ) then { accept; }
{{- end }}
}
filter calico_pools { filter calico_pools {
calico_aggr(); calico_aggr();
custom_filters(); osh_filters();
{{`{{range ls "/pool"}}`}}{{`{{$data := json (getv (printf "/pool/%s" .))}}`}} {{`{{range ls "/pool"}}{{$data := json (getv (printf "/pool/%s" .))}}`}}
if ( net ~ {{`{{$data.cidr}}`}} ) then { {{` if ( net ~ {{$data.cidr}} ) then {`}}
accept; accept;
} }
{{`{{end}}`}} {{`{{end}}`}}

View File

@ -1,22 +0,0 @@
# Generated by confd
# ------------- Static black hole addresses -------------
{{`{{if ls "/"}}`}}
protocol static {
{{`{{range ls "/"}}`}}
{{`{{$parts := split . "-"}}`}}
{{`{{$cidr := join $parts "/"}}`}}
route {{`{{$cidr}}`}} blackhole;
{{`{{end}}`}}
}
{{`{{else}}`}}# No static routes configured.{{`{{end}}`}}
# Aggregation of routes on this host; export the block, nothing beneath it.
function calico_aggr ()
{
{{`{{range ls "/"}}`}}
{{`{{$parts := split . "-"}}`}}
{{`{{$cidr := join $parts "/"}}`}}
if ( net = {{`{{$cidr}}`}} ) then { accept; }
if ( net ~ {{`{{$cidr}}`}} ) then { reject; }
{{`{{end}}`}}
}

View File

@ -1,32 +1,44 @@
# Generated by confd # Generated by confd
function osh_filters ()
{
# support any addresses matching our secondary announcements
{{- range .Values.networking.bgp.ipv4.additional_cidrs }}
if ( net ~ {{ . }} ) then { accept; }
{{- end }}
}
filter calico_pools { filter calico_pools {
calico_aggr(); calico_aggr();
custom_filters(); osh_filters();
{{`{{range ls "/v1/ipam/v4/pool"}}`}}{{`{{$data := json (getv (printf "/v1/ipam/v4/pool/%s" .))}}`}} {{`{{range ls "/v1/ipam/v4/pool"}}{{$data := json (getv (printf "/v1/ipam/v4/pool/%s" .))}}`}}
if ( net ~ {{`{{$data.cidr}}`}} ) then { {{` if ( net ~ {{$data.cidr}} ) then {`}}
accept; accept;
} }
{{`{{end}}`}} {{`{{end}}`}}
reject; reject;
} }
{{`{{$network_key := printf "/bgp/v1/host/%s/network_v4" (getenv "NODENAME")}}`}}{{`{{$network := getv $network_key}}`}} {{`{{$network_key := printf "/bgp/v1/host/%s/network_v4" (getenv "NODENAME")}}{{if exists $network_key}}{{$network := getv $network_key}}`}}
filter calico_ipip { filter calico_ipip {
{{`{{range ls "/v1/ipam/v4/pool"}}`}}{{`{{$data := json (getv (printf "/v1/ipam/v4/pool/%s" .))}}`}} {{`{{range ls "/v1/ipam/v4/pool"}}{{$data := json (getv (printf "/v1/ipam/v4/pool/%s" .))}}`}}
if ( net ~ {{`{{$data.cidr}}`}} ) then { {{` if ( net ~ {{$data.cidr}} ) then {`}}
{{`{{if $data.ipip_mode}}`}}{{`{{if eq $data.ipip_mode "cross-subnet"}}`}} {{`{{if $data.ipip_mode}}{{if eq $data.ipip_mode "cross-subnet"}}`}}
if ( from ~ {{`{{$network}}`}} ) then {{` if defined(bgp_next_hop) && ( bgp_next_hop ~ {{$network}} ) then`}}
krt_tunnel = ""; {{`{{/* Destination in ipPool, mode is cross sub-net, route from-host on subnet, do not use IPIP */}}`}} {{` krt_tunnel = ""; {{/* Destination in ipPool, mode is cross sub-net, route from-host on subnet, do not use IPIP */}}`}}
else else
krt_tunnel = "{{`{{$data.ipip}}`}}"; {{`{{/* Destination in ipPool, mode is cross sub-net, route from-host off subnet, set the tunnel (if IPIP not enabled, value will be "") */}}`}} {{` krt_tunnel = "{{$data.ipip}}"; {{/* Destination in ipPool, mode is cross sub-net, route from-host off subnet, set the tunnel (if IPIP not enabled, value will be "") */}}`}}
accept; accept;
} {{`{{else}}`}} {{` } {{else}}`}}
krt_tunnel = "{{`{{$data.ipip}}`}}"; {{`{{/* Destination in ipPool, mode not cross sub-net, set the tunnel (if IPIP not enabled, value will be "") */}}`}} {{` krt_tunnel = "{{$data.ipip}}"; {{/* Destination in ipPool, mode not cross sub-net, set the tunnel (if IPIP not enabled, value will be "") */}}`}}
accept; accept;
} {{`{{end}}`}} {{`{{else}}`}} {{` } {{end}} {{else}}`}}
krt_tunnel = "{{`{{$data.ipip}}`}}"; {{`{{/* Destination in ipPool, mode field is not present, set the tunnel (if IPIP not enabled, value will be "") */}}`}} {{` krt_tunnel = "{{$data.ipip}}"; {{/* Destination in ipPool, mode field is not present, set the tunnel (if IPIP not enabled, value will be "") */}}`}}
accept; accept;
} {{`{{end}}`}} {{` } {{end}}`}}
{{`{{end}}`}} {{`{{end}}`}}
accept; {{`{{/* Destination is not in any ipPool, accept */}}`}} {{` accept; {{/* Destination is not in any ipPool, accept */}}`}}
} }
{{`{{else}}`}}
filter calico_ipip { accept; }
{{`{{end}}{{/* End of 'exists $network_key' */}}`}}

View File

@ -1,13 +0,0 @@
# Generated by confd
function custom_filters ()
{
{{`{{range ls "/v4"}}`}}{{`{{$data := getv (printf "/v4/%s" .)}}`}}
{{`{{ $data }}`}}
{{`{{end}}`}}
# support any addresses matching our secondary announcements
{{ range .Values.networking.bgp.ipv4.additional_cidrs }}
if ( net ~ {{ . }} ) then { accept; }
{{ end }}
}

View File

@ -1,13 +0,0 @@
# Generated by confd
function custom_filters ()
{
{{`{{range ls "/v6"}}`}}{{`{{$data := getv (printf "/v6/%s" .)}}`}}
{{`{{ $data }}`}}
{{`{{end}}`}}
# support any addresses matching our secondary announcements
{{ range .Values.networking.bgp.ipv6.additional_cidrs }}
if ( net ~ {{ . }} ) then { accept; }
{{ end }}
}

View File

@ -25,23 +25,12 @@ metadata:
data: data:
# we overlay templates found natively in the calico-node container # we overlay templates found natively in the calico-node container
# so that we may override bgp configuration # so that we may override bgp configuration
bird6.cfg.mesh.template: | bird.cfg.template: |
{{ tuple "bird/_bird6.cfg.mesh.template.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} {{ tuple "bird/_bird.cfg.template.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
bird6.cfg.no-mesh.template: |
{{ tuple "bird/_bird6.cfg.no-mesh.template.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
bird6_ipam.cfg.template: |
{{ tuple "bird/_bird6_ipam.cfg.template.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
bird_aggr.cfg.template: |
{{ tuple "bird/_bird_aggr.cfg.template.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
bird.cfg.mesh.template: |
{{ tuple "bird/_bird.cfg.mesh.template.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
bird.cfg.no-mesh.template: |
{{ tuple "bird/_bird.cfg.no-mesh.template.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
bird_ipam.cfg.template: | bird_ipam.cfg.template: |
{{ tuple "bird/_bird_ipam.cfg.template.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} {{ tuple "bird/_bird_ipam.cfg.template.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
custom_filters6.cfg.template: | bird6.cfg.template: |
{{ tuple "bird/_custom_filters6.cfg.template.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} {{ tuple "bird/_bird6.cfg.template.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
custom_filters.cfg.template: | bird6_ipam.cfg.template: |
{{ tuple "bird/_custom_filters.cfg.template.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} {{ tuple "bird/_bird6_ipam.cfg.template.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
{{- end }} {{- end }}

View File

@ -16,19 +16,6 @@ limitations under the License.
{{- if .Values.manifests.configmap_etc }} {{- if .Values.manifests.configmap_etc }}
{{- $envAll := . }} {{- $envAll := . }}
{{- if empty .Values.conf.cni_network_config.mtu -}}
{{/*
#NOTE(portdirect): to err on the side of caution we subtract 20 from the physical
# MTU to account for IPIP overhead unless explicty turned off.
*/}}
{{- if eq .Values.conf.node.CALICO_IPV4POOL_IPIP "off" -}}
{{- $_ := set .Values.conf.cni_network_config "mtu" .Values.networking.mtu -}}
{{- else -}}
{{- $_ := set .Values.conf.cni_network_config "mtu" (sub .Values.networking.mtu 20) -}}
{{- end -}}
{{- end -}}
--- ---
kind: ConfigMap kind: ConfigMap
apiVersion: v1 apiVersion: v1

View File

@ -19,6 +19,7 @@ limitations under the License.
{{- $serviceAccountName := "calico-etcd"}} {{- $serviceAccountName := "calico-etcd"}}
{{ tuple $envAll "calico-etcd" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} {{ tuple $envAll "calico-etcd" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
--- ---
# This manifest installs the Calico etcd on the kubeadm master. This uses a DaemonSet # This manifest installs the Calico etcd on the kubeadm master. This uses a DaemonSet
# to force it to run on the master even when the master isn't schedulable, and uses # to force it to run on the master even when the master isn't schedulable, and uses
@ -49,6 +50,7 @@ spec:
# a failure. This annotation works in tandem with the toleration below. # a failure. This annotation works in tandem with the toleration below.
scheduler.alpha.kubernetes.io/critical-pod: '' scheduler.alpha.kubernetes.io/critical-pod: ''
spec: spec:
serviceAccountName: {{ $serviceAccountName }}
tolerations: tolerations:
# This taint is set by all kubelets running `--cloud-provider=external` # This taint is set by all kubelets running `--cloud-provider=external`
# so we should tolerate it to schedule the Calico pods # so we should tolerate it to schedule the Calico pods

View File

@ -17,34 +17,42 @@ limitations under the License.
{{- if .Values.manifests.daemonset_calico_node }} {{- if .Values.manifests.daemonset_calico_node }}
{{- $envAll := . }} {{- $envAll := . }}
{{/* Adjust MTU iff we have tunnel overhead; 20 suffices for an IPv4 IPIP header */}}
{{- if ne .Values.conf.node.CALICO_IPV4POOL_IPIP "Never" -}}
{{- $_ := set .Values.networking "mtu" (sub .Values.networking.mtu 20) -}}
# Adjusted MTU to {{ .Values.networking.mtu }}
{{ end -}}
{{/* Some values need to be specified in multiple places; set appropriately */}}
{{- if empty .Values.conf.node.FELIX_IPINIPMTU -}}
{{- $_ := set .Values.conf.node "FELIX_IPINIPMTU" .Values.networking.mtu -}}
{{- end -}}
{{- if empty .Values.conf.node.CNI_MTU -}}
{{- $_ := set .Values.conf.node "CNI_MTU" .Values.conf.node.FELIX_IPINIPMTU -}}
{{- end -}}
{{- if empty .Values.conf.node.CALICO_IPV4POOL_CIDR -}} {{- if empty .Values.conf.node.CALICO_IPV4POOL_CIDR -}}
{{- $_ := set .Values.conf.node "CALICO_IPV4POOL_CIDR" .Values.networking.podSubnet -}} {{- $_ := set .Values.conf.node "CALICO_IPV4POOL_CIDR" .Values.networking.podSubnet -}}
{{- end -}} {{- end -}}
{{- if empty .Values.conf.node.FELIX_IPINIPMTU -}} {{- $serviceAccountName := "calico-node"}}
{{/*
#NOTE(portdirect): to err on the side of caution we subtract 20 from the physical
# MTU to account for IPIP overhead unless explicty turned off.
*/}}
{{- if eq .Values.conf.node.CALICO_IPV4POOL_IPIP "off" -}}
{{- $_ := set .Values.conf.node "FELIX_IPINIPMTU" .Values.networking.mtu -}}
{{- else -}}
{{- $_ := set .Values.conf.node "FELIX_IPINIPMTU" (sub .Values.networking.mtu 20) -}}
{{- end -}}
{{- end -}}
{{- $serviceAccountName := printf "%s-%s" .Release.Name "calico-cni-plugin"}}
{{ tuple $envAll "calico_node" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} {{ tuple $envAll "calico_node" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
--- ---
apiVersion: rbac.authorization.k8s.io/v1beta1 apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding kind: ClusterRoleBinding
metadata: metadata:
name: calico-cni-plugin name: calico-node
roleRef: roleRef:
apiGroup: rbac.authorization.k8s.io apiGroup: rbac.authorization.k8s.io
kind: ClusterRole kind: ClusterRole
name: {{ $serviceAccountName }} name: calico-node
subjects: subjects:
- kind: ServiceAccount - kind: ServiceAccount
name: {{ $serviceAccountName }} name: {{ $serviceAccountName }}
@ -61,6 +69,9 @@ rules:
- nodes - nodes
verbs: verbs:
- get - get
- apiGroups: ["batch" ]
resources: ["jobs"]
verbs: ["get" ]
--- ---
# This manifest installs the calico/node container, as well # This manifest installs the calico/node container, as well
# as the Calico CNI plugins and network config on # as the Calico CNI plugins and network config on
@ -118,6 +129,7 @@ spec:
# Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force
# deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods. # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods.
terminationGracePeriodSeconds: 0 terminationGracePeriodSeconds: 0
initContainers: initContainers:
{{ tuple $envAll "calico_node" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} {{ tuple $envAll "calico_node" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
{{ if .Values.manifests.daemonset_calico_node_calicoctl }} {{ if .Values.manifests.daemonset_calico_node_calicoctl }}
@ -132,7 +144,6 @@ spec:
configMapKeyRef: configMapKeyRef:
name: calico-etc name: calico-etc
key: etcd_endpoints key: etcd_endpoints
{{ if .Values.endpoints.etcd.auth.client.tls.ca}} {{ if .Values.endpoints.etcd.auth.client.tls.ca}}
- name: ETCD_CA_CERT_FILE - name: ETCD_CA_CERT_FILE
value: {{ .Values.endpoints.etcd.auth.client.path.ca }} value: {{ .Values.endpoints.etcd.auth.client.path.ca }}
@ -181,6 +192,7 @@ spec:
subPath: tls.key subPath: tls.key
readOnly: true readOnly: true
{{ end }} {{ end }}
containers: containers:
# Runs calico/node container on each Kubernetes node. This # Runs calico/node container on each Kubernetes node. This
# container programs network policy and routes on each # container programs network policy and routes on each
@ -239,6 +251,15 @@ spec:
periodSeconds: 10 periodSeconds: 10
initialDelaySeconds: 10 initialDelaySeconds: 10
failureThreshold: 6 failureThreshold: 6
# Only for Calico v3
readinessProbe:
exec:
command:
- /bin/calico-node
- -bird-ready
- -felix-ready
periodSeconds: 10
volumeMounts: volumeMounts:
- mountPath: /lib/modules - mountPath: /lib/modules
name: lib-modules name: lib-modules
@ -249,37 +270,21 @@ spec:
# bird template replacements # bird template replacements
# bird cfg # bird cfg
- mountPath: /etc/calico/confd/templates/bird.cfg.mesh.template - mountPath: /etc/calico/confd/templates/bird.cfg.template
name: calico-bird name: calico-bird
subPath: bird.cfg.mesh.template subPath: bird.cfg.template
- mountPath: /etc/calico/confd/templates/bird.cfg.no-mesh.template
name: calico-bird
subPath: bird.cfg.no-mesh.template
# bird ipam # bird ipam
- mountPath: /etc/calico/confd/templates/bird_ipam.cfg.template - mountPath: /etc/calico/confd/templates/bird_ipam.cfg.template
name: calico-bird name: calico-bird
subPath: bird_ipam.cfg.template subPath: bird_ipam.cfg.template
# bird6 cfg # bird6 cfg
- mountPath: /etc/calico/confd/templates/bird6.cfg.mesh.template - mountPath: /etc/calico/confd/templates/bird6.cfg.template
name: calico-bird name: calico-bird
subPath: bird6.cfg.mesh.template subPath: bird6.cfg.template
- mountPath: /etc/calico/confd/templates/bird6.cfg.no-mesh.template
name: calico-bird
subPath: bird6.cfg.no-mesh.template
# bird6 ipam # bird6 ipam
- mountPath: /etc/calico/confd/templates/bird6_ipam.cfg.template - mountPath: /etc/calico/confd/templates/bird6_ipam.cfg.template
name: calico-bird name: calico-bird
subPath: bird6_ipam.cfg.template subPath: bird6_ipam.cfg.template
# filters...
- mountPath: /etc/calico/confd/templates/bird_aggr.cfg.template
name: calico-bird
subPath: bird_aggr.cfg.template
- mountPath: /etc/calico/confd/templates/custom_filters6.cfg.template
name: calico-bird
subPath: custom_filters6.cfg.template
- mountPath: /etc/calico/confd/templates/custom_filters.cfg.template
name: calico-bird
subPath: custom_filters.cfg.template
# etcd secrets # etcd secrets
- mountPath: /var/lib/calico - mountPath: /var/lib/calico
name: var-lib-calico name: var-lib-calico
@ -300,15 +305,14 @@ spec:
# and CNI network config file on each node. # and CNI network config file on each node.
- name: install-cni - name: install-cni
{{ tuple $envAll "calico_cni" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll "calico_cni" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.calico_cni | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
command: ["/install-cni.sh"] command: ["/install-cni.sh"]
env: env:
# Name of the CNI config file to create. # Name of the CNI config file to create.
# #
# NOTE: Calico v2 needs to end in .conf; Calico v3 is # NOTE: Calico v3 needs to end in .conflist; Calico v2 is
# different! # different!
- name: CNI_CONF_NAME - name: CNI_CONF_NAME
value: "10-calico.conf" value: "10-calico.conflist"
# The location of the Calico etcd cluster. # The location of the Calico etcd cluster.
- name: ETCD_ENDPOINTS - name: ETCD_ENDPOINTS
valueFrom: valueFrom:
@ -321,6 +325,7 @@ spec:
configMapKeyRef: configMapKeyRef:
name: calico-etc name: calico-etc
key: cni_network_config key: cni_network_config
volumeMounts: volumeMounts:
- name: cni-bin-dir - name: cni-bin-dir
mountPath: /host/opt/cni/bin mountPath: /host/opt/cni/bin
@ -362,4 +367,5 @@ spec:
- name: calico-etcd-secrets - name: calico-etcd-secrets
secret: secret:
secretName: calico-etcd-secrets secretName: calico-etcd-secrets
{{- end }} {{- end }}

View File

@ -1,4 +1,4 @@
{{/* {{/*
Copyright 2017 The Openstack-Helm Authors. Copyright 2017 The Openstack-Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License"); Licensed under the Apache License, Version 2.0 (the "License");
@ -17,7 +17,7 @@ limitations under the License.
{{- if .Values.manifests.deployment_calico_kube_controllers }} {{- if .Values.manifests.deployment_calico_kube_controllers }}
{{- $envAll := . }} {{- $envAll := . }}
{{- $serviceAccountName := printf "%s-%s" .Release.Name "calico-kube-controllers"}} {{- $serviceAccountName := "calico-kube-controllers"}}
{{ tuple $envAll "calico_kube_controllers" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} {{ tuple $envAll "calico_kube_controllers" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
--- ---
kind: ClusterRoleBinding kind: ClusterRoleBinding
@ -58,6 +58,7 @@ rules:
- watch - watch
- list - list
--- ---
# This manifest deploys the Calico Kubernetes controllers. # This manifest deploys the Calico Kubernetes controllers.
# See https://github.com/projectcalico/kube-controllers # See https://github.com/projectcalico/kube-controllers
apiVersion: extensions/v1beta1 apiVersion: extensions/v1beta1
@ -101,6 +102,7 @@ spec:
- key: node.cloudprovider.kubernetes.io/uninitialized - key: node.cloudprovider.kubernetes.io/uninitialized
value: "true" value: "true"
effect: NoSchedule effect: NoSchedule
- key: CriticalAddonsOnly - key: CriticalAddonsOnly
operator: Exists operator: Exists
- key: node-role.kubernetes.io/master - key: node-role.kubernetes.io/master
@ -152,6 +154,12 @@ spec:
subPath: tls.key subPath: tls.key
readOnly: true readOnly: true
# Calico v3 only
readinessProbe:
exec:
command:
- /usr/bin/check-status
- -r
volumes: volumes:
- name: calico-etcd-secrets - name: calico-etcd-secrets
secret: secret:

View File

@ -0,0 +1,2 @@
H4sIAJLrq1sCA+3IOwqFMABE0SwlS4jGxPVYvFIQP4W7N1ja+0A4p7nD/OZlP8O7UlOH4W7z7L27
nEs/1lL62v4x5S7EFP7g2PZpjTEAAAAAAAAAAADAh1zOUd8NACgAAA==

View File

@ -14,13 +14,15 @@
images: images:
tags: tags:
calico_etcd: quay.io/coreos/etcd:v3.1.14 # These are minimum versions, older images will very likely not
calico_node: quay.io/calico/node:v2.6.9 # work
calico_cni: quay.io/calico/cni:v1.11.5 calico_etcd: quay.io/coreos/etcd:v3.3.9
calico_ctl: quay.io/calico/ctl:v1.6.4 calico_node: quay.io/calico/node:v3.2.1
calico_settings: quay.io/calico/ctl:v1.6.4 calico_cni: quay.io/calico/cni:v3.2.1
calico_ctl: calico/ctl:release-v3.2-amd64
calico_settings: calico/ctl:release-v3.2-amd64
# NOTE: plural key, singular value # NOTE: plural key, singular value
calico_kube_controllers: quay.io/calico/kube-policy-controller:v0.7.0 calico_kube_controllers: quay.io/calico/kube-controllers:v3.2.1
dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.3.1 dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.3.1
image_repo_sync: docker.io/docker:17.07.0 image_repo_sync: docker.io/docker:17.07.0
pull_policy: IfNotPresent pull_policy: IfNotPresent
@ -179,9 +181,9 @@ monitoring:
networking: networking:
podSubnet: 192.168.0.0/16 podSubnet: 192.168.0.0/16
# NOTE(portdirect): this should be the physical MTU, the appropriate MTU # Physical MTU, if ipip is enabled, the chart will adjust things downward
# that calico should use will be calculated.
mtu: 1500 mtu: 1500
settings: settings:
mesh: "on" mesh: "on"
# technically this could be a list, today we only support # technically this could be a list, today we only support
@ -190,66 +192,57 @@ networking:
ippool: ippool:
ipip: ipip:
enabled: "true" enabled: "true"
# lowercase value # Titlecase
mode: "always" mode: "Always"
nat_outgoing: "true" nat_outgoing: "true"
disabled: "false" disabled: "false"
bgp: bgp:
# our asnumber for bgp peering # our asnumber for bgp peering
asnumber: 64512 asnumber: 64512
ipv4: ipv4:
# https://docs.projectcalico.org/v2.0/reference/calicoctl/resources/bgppeer # https://docs.projectcalico.org/v3.2/reference/calicoctl/resources/bgppeer
# #
# this is a list of peer objects that will be passed directly to # this is a list of peer objects that will be passed directly to
# calicoctl - for global peers, the scope should be global and # calicoctl - for global peers, the scope should be global and
# the node attribute removed # the node attribute removed
# #
# apiVersion: v1 # apiVersion: projectcalico.org/v3
# kind: bgpPeer # kind: BGPPeer
# metadata: # metadata:
# peerIP: 10.1.10.39 # name: some.name
# scope: node
# node: some.name
# spec: # spec:
# node: rack1-host1
# peerIP: 10.1.10.39
# asNumber: 64512 # asNumber: 64512
peers: [] peers: []
# this is a list of additional IPv4 cidrs that if we discover # this is a list of additional IPv4 cidrs that if we discover
# IPs within them on a host, we will announce the address in # IPs within them on a host, we will announce the address in
# addition to traditional pod workloads # addition to traditional pod workloads
additional_cidrs: [] additional_cidrs: []
mesh:
port:
neighbor: 179
listen: 179
no_mesh:
port: port:
neighbor: 179 neighbor: 179
listen: 179 listen: 179
ipv6: ipv6:
# https://docs.projectcalico.org/v2.0/reference/calicoctl/resources/bgppeer # https://docs.projectcalico.org/v3.2/reference/calicoctl/resources/bgppeer
# #
# this is a list of peer objects that will be passed directly to # this is a list of peer objects that will be passed directly to
# calicoctl - for global peers, the scope should be global and # calicoctl - for global peers, the scope should be global and
# the node attribute removed # the node attribute removed
# #
# apiVersion: v1 # apiVersion: projectcalico.org/v3
# kind: bgpPeer # kind: BGPPeer
# metadata: # metadata:
# peerIP: 2600:1:2:3::abcd # name: some.name
# scope: node
# node: rack1-host1
# spec: # spec:
# node: rack1-host1
# peerIP: 2600:1:2:3::abcd
# asNumber: 64512 # asNumber: 64512
peers: [] peers: []
# this is a list of additional IPv6 cidrs that if we discover # this is a list of additional IPv6 cidrs that if we discover
# IPs within them on a host, we will announce them in addition # IPs within them on a host, we will announce them in addition
# to traditional pod workloads # to traditional pod workloads
additional_cidrs: [] additional_cidrs: []
mesh:
port:
neighbor: 179
listen: 179
no_mesh:
port: port:
neighbor: 179 neighbor: 179
listen: 179 listen: 179
@ -260,22 +253,34 @@ conf:
ca: null ca: null
key: null key: null
certificate: null certificate: null
# NOTE; syntax has subtly changed since Calico v2. For Armada *all*
# of this needes to be specified. We're using yaml here which we
# can't robustly convert to json (which the node pod requires) so it
# might be we revisit that and embedded a json string that gets
# edits
cni_network_config: cni_network_config:
# https://docs.projectcalico.org/v2.0/reference/cni-plugin/configuration # https://docs.projectcalico.org/v3.2/reference/cni-plugin/configuration
#
# other than the etcd_* keys you likely want to leave this as-is
name: k8s-pod-network name: k8s-pod-network
cniVersion: 0.1.0 cniVersion: 0.3.0
type: calico plugins:
etcd_endpoints: __ETCD_ENDPOINTS__ - type: calico
log_level: info log_level: info
mtu: null etcd_endpoints: __ETCD_ENDPOINTS__
etcd_key_file: __ETCD_KEY_FILE__
etcd_cert_file: __ETCD_CERT_FILE__
etcd_ca_cert_file: __ETCD_CA_CERT_FILE__
ipam: ipam:
type: calico-ipam type: calico-ipam
policy: policy:
type: k8s type: k8s
k8s_api_root: https://__KUBERNETES_SERVICE_HOST__:__KUBERNETES_SERVICE_PORT__
k8s_auth_token: __SERVICEACCOUNT_TOKEN__
kubernetes: kubernetes:
kubeconfig: "/etc/cni/net.d/__KUBECONFIG_FILENAME__" kubeconfig: __KUBECONFIG_FILEPATH__
- type: portmap
snat: true
capabilities:
portMappings: true
controllers: controllers:
# The location of the Kubernetes API. Use the default Kubernetes # The location of the Kubernetes API. Use the default Kubernetes
# service for API access. # service for API access.
@ -286,11 +291,14 @@ conf:
# access, configure the container's /etc/hosts to resolve # access, configure the container's /etc/hosts to resolve
# kubernetes.default to the correct service clusterIP. # kubernetes.default to the correct service clusterIP.
CONFIGURE_ETC_HOSTS: "true" CONFIGURE_ETC_HOSTS: "true"
node: node:
# for specific details see
# https://docs.projectcalico.org/v3.2/reference/node/configuration
name: k8s-pod-network
# Cluster type to identify the deployment type # Cluster type to identify the deployment type
CLUSTER_TYPE: # NOTE: v2 had a list ... v3 a comma separated string
- kubeadm CLUSTER_TYPE: "k8s,bgp"
- bgp
# Describes which BGP networking backend to use gobgp, bird, none. Default is bird. # Describes which BGP networking backend to use gobgp, bird, none. Default is bird.
# NOTE(alanmeadows) today this chart only supports applying the bgp customizations to # NOTE(alanmeadows) today this chart only supports applying the bgp customizations to
# bird templates - in the future we may support gobgp as well # bird templates - in the future we may support gobgp as well
@ -308,8 +316,8 @@ conf:
# Configure the IP Pool from which Pod IPs will be chosen. # Configure the IP Pool from which Pod IPs will be chosen.
CALICO_IPV4POOL_CIDR: null CALICO_IPV4POOL_CIDR: null
# Change this to 'off' in environments with direct L2 communication # Change this to 'off' in environments with direct L2 communication
# lowercase # Titlecase
CALICO_IPV4POOL_IPIP: "always" CALICO_IPV4POOL_IPIP: "Always"
# Disable IPv6 on Kubernetes. # Disable IPv6 on Kubernetes.
FELIX_IPV6SUPPORT: "false" FELIX_IPV6SUPPORT: "false"
# Set MTU for tunnel device used if ipip is enabled # Set MTU for tunnel device used if ipip is enabled